day4 part1
This commit is contained in:
parent
c7797a0891
commit
c178fe095c
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
title: Opening Keynotes
|
||||
---
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
title: "TODO:"
|
||||
weight: 1
|
||||
---
|
||||
|
||||
## Problems
|
||||
|
||||
* Dockerfiles are hard and not 100% reproducible
|
||||
* Buildpoacks are reproducible but result in large single-arch images
|
||||
* Nix has multiple ways of doing things
|
||||
|
||||
## Solutions
|
||||
|
||||
* Degger as a CI solution
|
||||
* Multistage docker images with distroless -> Small image, small attack surcface
|
||||
* Language specific solutions (ki, jib)
|
|
@ -0,0 +1,54 @@
|
|||
---
|
||||
title: "eBPF’s Abilities and Limitations: The Truth"
|
||||
weight: 2
|
||||
---
|
||||
|
||||
A talk by isovalent with a full room (one of the large ones).
|
||||
|
||||
## Baseline
|
||||
|
||||
* eBPF lets you run custom code in the kernel -> close to hardware
|
||||
* Typical usecases: Networking, Observability, Tracing/Profiling, security
|
||||
* Question: Is eBPF truing complete and can it be used for more complex scenarios (TLS, LK7)?
|
||||
|
||||
## eBPF verifier
|
||||
|
||||
* The verifier analyzes the program to verify safety
|
||||
* Principles
|
||||
* Read memory only with correct permissions
|
||||
* All writes to valid and safe memory
|
||||
* Valid in-bounds and well formed control flow
|
||||
* Execution on-cpu time is bounded: sleep, scheduled callbacks, interations, program acutally compketes
|
||||
* Aquire/release and reference count semantics
|
||||
|
||||
## Demo: Game of life
|
||||
|
||||
* A random game of life map
|
||||
* Implemented as a tetragon plugin
|
||||
* Layout: Main control loop that loads the map, generates the next generation, and returns a next run function
|
||||
* The timer callback pattern is used for infinite run
|
||||
|
||||
## eBPF Limits & workarounds
|
||||
|
||||
* Instruction limit to let the verifier actually verify the program in reasonable time
|
||||
* Limit is based on: Instruction limit and verifier step limit
|
||||
* nowadays the limit it 4096 unprivileged calls and 1 million privileged istructions
|
||||
* Only jump forward -> No loops
|
||||
* Is a basic limitation to ensure no infinite loops can ruin the day
|
||||
* Limitation: Only finite iterations can be performed
|
||||
* Loops: Newer versions support loops with upper bounds (`for x=0;: x<100`)
|
||||
* Is the instruction limit hard?
|
||||
* Solution: subprogram (aka function) and the limit is only for each function -> `x*subprogramms = x*limit`
|
||||
* Limit: Needs real skill
|
||||
* Programs have to terminate
|
||||
* Well eBPF really only wants to release the cpu, the program doesn't have to end per se
|
||||
* Iterator: walk abitrary lists of objects
|
||||
* Sleep on pagefault or other memory operations
|
||||
* Timer callbacks (including the timer 0 for run me asap)
|
||||
* Memory allocation
|
||||
* Maps are used as the memory management system
|
||||
|
||||
## Result
|
||||
|
||||
* You can execure abitrary tasks via eBPF
|
||||
* It can be used for HTTP or TLS - it's just not implemented yet™
|
Loading…
Reference in New Issue